New discovery may make encryption ‘exponentially easier’ to break

This site may earn affiliate commissions from the links on this page. Terms of use.

“Brute force” may not seem like a term well suited to mathematics or the quiet pursuits in cryptography that helped drive information security from the Second World War on through to the modern surveillance state. Yet, it’s a term that may come back to prominence in the coming years, as researchers inch closer to finding the cracks in modern encryption algorithms. While programs like PRISM and XKeyScore may have access to your emails and social media, they’ve gained that access through legal requests, not hacking — encryption is still theoretically secure from mathematical attacks both sophisticated and brute.

In this context, “brute force” refers to the simple act of checking all possible combinations in order. You want to know a four-digit PIN, and so begin by guessing 0000, then 0001, then 0002, and so on. For a computer, such an operation is trivial, and will return the correct answer almost instantly. Cryptography is, really, the process of making such analyses as difficult as possible. With a purely brute force approach, it’s thought that a modern computer could chew on today’s PGP-derived encryption schemes for literally billions of years before happening upon a correct solution. This is what we call “secure.” Yet new research (pdf) from an MIT team including professor Muriel Médard (pictured above) suggests that our trust in communications security may be based on false assumptions about the very nature of information.

Claude E. Shannon, the creator of information theory.

Code-making and code-breaking is based largely on the idea of entropy, and the statistical probabilities that any particular string of characters will occur in a sequence. Current models assume that information conforms to Shannon entropy, which calculates average probabilities over large amounts of data. This may return correct results for messages overall, but code-breaking is all about finding cracks and pressing on them until the whole shatters. In cryptography, only a small stretch of data need deviate from the assumptions of Shannon entropy to render the whole insecure. The failure of this idea, called the uniformity assumption, could have profound implications for data security. In particular, even slight deviations from perfect uniformity in a source file can provide very real inroads for attackers.

Code-breaking has always been about building on small insights. We can leverage what we know about language, for instance, to identify letters in a very simple cipher. If “e” is the most common letter in the English language, then perhaps the most common character in the code represents that letter. Even if all you ever directly find is an “e,” you can start looking for the most common words containing the letter, like “the,” building on assumptions and quickly breaking complex ciphers with just a single initial insight. After a certain point, you’ve whittled down the possibilities for a message to the point that brute-force analysis becomes not just possible, but simple. After years without meaningful progress, Ancient Egyptian hieroglyphics were deciphered with astonishing quickness after the discovery of the symbol for Cleopatra.

These MIT researchers have shown that one of the most unchallenged assumptions in all cryptography, one that gets at ideas about the very nature of information theory, has left cryptography vulnerable to step-wise attacks of this kind. In their estimation it makes breaking current algorithms “exponentially easier than we thought,” though they are still “exponentially hard.” In other words, it takes a totally impossible task and makes it pretty much impossible, turns a billion-year effort into a multi-million-year one.

Still, it’s these sorts of efforts that can pile up to render our cyphers insecure and, perhaps more importantly, that can force mathematicians and engineers to reexamine their most unchallenged assumptions. As one researcher puts it, cryptography is all about securing your work against threats that you cannot test. In such a field, working from strong basic assumptions is a necessity. The researchers are confident that, having identified this potential weakness, developers will be able to shore up the weakness quickly enough.

Or you could just code in a 3 second delay response on all password entry programs. Wouldn’t that increase built in time on a brute force attack by like, a billionty-years?

Magnus Blomberg

That is only viable for say a login user name password authentication scenario where the attacker must let the victims software verify the username and password.

However if an attacker has got his hands on an encrypted file the attacker can chose whatever program and hardware he likes to try and decrypt it. It would be rather daft to chose a software that sleeps for three seconds after testing each key.

DannyBoyJr

But if the developer used scrypt or bcrypt to derive the encryption key, then even with the encrypted file, it would slow down brute-force searches, limit parallelization, and would require massive memory to defeat most hardware-based attacks.

No 3 second delays, for sure, but instead of 10 billion key searches per second, it can be reduced to about 1-2 thousand per second. Making even 6 character passwords hard to crack by brute-force.

Magnus Blomberg

I agree.

Gustavo Wentz Biasuz

That’s already done… It’s called Key stretching

wmac

“Brute force” is not necessarily related to login attempts in encryption field.

The assumption normally is that you have access to the encrypted information itself (in the form of an encrypted file, password hash etc.).

george999

Yeah, I think the Rosetta Stone might have had a bit more to do with deciphering hieroglyphics than simply figuring out Cleopatra’s name.

Postulative

The problem is that most of the Internet relies on algorithms that are thirty or forty years old, and that have been probed for much of that period. Some have been proven to be weaker than initially thought, while much of the Internet uses keys that are too short given modern computing power. It’s an arms race, and you have to keep improving your security to keep up with decryption capabilities.

The fact that something has just become “exponentially easier” to crack is nothing new. The question is whether this particular breakthrough will make it easier to crack a specific target’s security within a relatively trivial timeframe (hours or days).

zapper

Whats the point
when all your passwords are being stored on databases of apps written by Americans & stored mostly in American servers. All they need to do is to threaten a Bill Gates or Ballmer or any CEO of an IT co. and get their paws digging into the mound of soil ( no need to threaten even, if they force these cos. to make users sign flimsy agreements) . So your life is pretty much as exposed as having a public bath under glass panel by road side and NSA, & other govt agencies looking at your private parts.

This site may earn affiliate commissions from the links on this page. Terms of use.

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.